That's correct. In that case, a hardware firewall will be the best solution. For big forums, we set up a proxy server that acts as an intermediary for requests, so the real server IP isn't exposed.If you expose your original IP, they will be able to attack you even with cloudflare enabled.
Probably not since it looks like a Layer 7 attack that just doesn't get filtered by Cloudflare. Without any configuration Cloudflare plans below Business don't help you that much, you should look into the WAF which has some Anti DDoS rules that you can enable and as already mentioned the under attack mode.If you are still being DDOS'd after having cloudflare, then your sites true IP is known. Ask your host to switch your IP after making sure your IP is not being leaked through:
If on shared hosting, then that is controlled by the hosting provider and usually the only way to resolve it is to move up on your hosting plan.Hello,
How to do?
max_connections = ???segment in the config file.
if (!empty($_SERVER['CF_CCONNECTING_IP'])) $_SERVER['REMOTE_ADDR'] = $_SERVER['CF_CCONNECTING_IP'];